| < draft-ietf-dnsop-nsec-aggressiveuse-08.txt | draft-ietf-dnsop-nsec-aggressiveuse-09.txt > | |||
|---|---|---|---|---|
| Network Working Group K. Fujiwara | Network Working Group K. Fujiwara | |||
| Internet-Draft JPRS | Internet-Draft JPRS | |||
| Updates: 4035 (if approved) A. Kato | Updates: 4035 (if approved) A. Kato | |||
| Intended status: Standards Track Keio/WIDE | Intended status: Standards Track Keio/WIDE | |||
| Expires: July 16, 2017 W. Kumari | Expires: October 1, 2017 W. Kumari | |||
| January 12, 2017 | March 30, 2017 | |||
| Aggressive use of DNSSEC-validated Cache | Aggressive use of DNSSEC-validated Cache | |||
| draft-ietf-dnsop-nsec-aggressiveuse-08 | draft-ietf-dnsop-nsec-aggressiveuse-09 | |||
| Abstract | Abstract | |||
| The DNS relies upon caching to scale; however, the cache lookup | The DNS relies upon caching to scale; however, the cache lookup | |||
| generally requires an exact match. This document specifies the use | generally requires an exact match. This document specifies the use | |||
| of NSEC/NSEC3 resource records to allow DNSSEC validating resolvers | of NSEC/NSEC3 resource records to allow DNSSEC validating resolvers | |||
| to generate negative answers within a range, and positive answers | to generate negative answers within a range, and positive answers | |||
| from wildcards. This increases performance / decreases latency, | from wildcards. This increases performance / decreases latency, | |||
| decreases resource utilization on both authoritative and recursive | decreases resource utilization on both authoritative and recursive | |||
| servers, and also increases privacy. It may also help increase | servers, and also increases privacy. It may also help increase | |||
| skipping to change at page 2, line 7 ¶ | skipping to change at page 2, line 7 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 16, 2017. | This Internet-Draft will expire on October 1, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 41 ¶ | skipping to change at page 2, line 41 ¶ | |||
| 5.1. NSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5.1. NSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.2. NSEC3 . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5.2. NSEC3 . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.3. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5.3. Wildcards . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.4. Consideration on TTL . . . . . . . . . . . . . . . . . . 7 | 5.4. Consideration on TTL . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 7. Update to RFC 4035 . . . . . . . . . . . . . . . . . . . . . 8 | 7. Update to RFC 4035 . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 10. Implementation Status . . . . . . . . . . . . . . . . . . . . 9 | 10. Implementation Status . . . . . . . . . . . . . . . . . . . . 9 | |||
| 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 | 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 11.1. Change History . . . . . . . . . . . . . . . . . . . . . 10 | 11.1. Change History . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 11.1.1. Version draft-fujiwara-dnsop-nsec-aggressiveuse-01 . 13 | 11.1.1. Version draft-fujiwara-dnsop-nsec-aggressiveuse-01 . 13 | |||
| 11.1.2. Version draft-fujiwara-dnsop-nsec-aggressiveuse-02 . 13 | 11.1.2. Version draft-fujiwara-dnsop-nsec-aggressiveuse-02 . 13 | |||
| 11.1.3. Version draft-fujiwara-dnsop-nsec-aggressiveuse-03 . 13 | 11.1.3. Version draft-fujiwara-dnsop-nsec-aggressiveuse-03 . 13 | |||
| 11.2. new section . . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 12.1. Normative References . . . . . . . . . . . . . . . . . . 13 | 12.1. Normative References . . . . . . . . . . . . . . . . . . 13 | |||
| 12.2. Informative References . . . . . . . . . . . . . . . . . 14 | 12.2. Informative References . . . . . . . . . . . . . . . . . 14 | |||
| Appendix A. Detailed implementation notes . . . . . . . . . . . 14 | Appendix A. Detailed implementation notes . . . . . . . . . . . 15 | |||
| Appendix B. Procedure for determining ENT vs NXDOMAN with NSEC . 15 | Appendix B. Procedure for determining ENT vs NXDOMAN with NSEC . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 1. Introduction | 1. Introduction | |||
| A DNS negative cache exists, and is used to cache the fact that an | A DNS negative cache exists, and is used to cache the fact that an | |||
| RRset does not exist. This method of negative caching requires exact | RRset does not exist. This method of negative caching requires exact | |||
| matching; this leads to unnecessary additional lookups, increases | matching; this leads to unnecessary additional lookups, increases | |||
| latency, leads to extra resource utilization on both authoritative | latency, leads to extra resource utilization on both authoritative | |||
| and recursive servers, and decreases privacy by leaking queries. | and recursive servers, and decreases privacy by leaking queries. | |||
| This document updates RFC 4035 to allow recursive resolvers to use | This document updates RFC 4035 to allow resolvers to use NSEC/NSEC3 | |||
| NSEC/NSEC3 resource records to synthesize negative answers from the | resource records to synthesize negative answers from the information | |||
| information they have in the cache. This allows validating resolvers | they have in the cache. This allows validating resolvers to respond | |||
| to respond with a negative answer immediately if the name in question | with a negative answer immediately if the name in question falls into | |||
| falls into a range expressed by a NSEC/NSEC3 resource record already | a range expressed by a NSEC/NSEC3 resource record already in the | |||
| in the cache. It also allows the synthesis of positive answers in | cache. It also allows the synthesis of positive answers in the | |||
| the presence of wildcard records. | presence of wildcard records. | |||
| Aggressive Negative Caching was first proposed in Section 6 of DNSSEC | Aggressive Negative Caching was first proposed in Section 6 of DNSSEC | |||
| Lookaside Validation (DLV) [RFC5074] in order to find covering NSEC | Lookaside Validation (DLV) [RFC5074] in order to find covering NSEC | |||
| records efficiently. | records efficiently. | |||
| [RFC8020], and [I-D.vixie-dnsext-resimprove] proposes first steps to | [RFC8020] and [I-D.vixie-dnsext-resimprove] propose steps to using | |||
| using NXDOMAIN information for more effective caching. This takes | NXDOMAIN information for more effective caching. This document takes | |||
| this technique further. | this technique further. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| Many of the specialized terms used in this document are defined in | Many of the specialized terms used in this document are defined in | |||
| DNS Terminology [RFC7719]. | DNS Terminology [RFC7719]. | |||
| skipping to change at page 4, line 31 ¶ | skipping to change at page 4, line 31 ¶ | |||
| attackers to cause a DoS (see additional resources), and also has | attackers to cause a DoS (see additional resources), and also has | |||
| privacy implications (e.g: typos leak out further than necessary). | privacy implications (e.g: typos leak out further than necessary). | |||
| Another example: assume that the (DNSSEC signed) "example.org" zone | Another example: assume that the (DNSSEC signed) "example.org" zone | |||
| contains: | contains: | |||
| avocado.example.org IN A 192.0.2.1 | avocado.example.org IN A 192.0.2.1 | |||
| *.example.org IN A 192.0.2.2 | *.example.org IN A 192.0.2.2 | |||
| zucchini.example.org IN A 192.0.2.3 | zucchini.example.org IN A 192.0.2.3 | |||
| If a query is received for leek.example.org, it contacts its resolver | If a query is received for leek.example.org, the system contacts its | |||
| (which may be itself) to query the example.org servers and will get | resolver (which may be itself) to query the example.org servers and | |||
| back an NSEC record stating that there are no records | will get back an NSEC record stating that there are no records | |||
| (alphabetically) between avocado and zucchini (or an NSEC3 record | (alphabetically) between avocado and zucchini (or an NSEC3 record | |||
| stating there is nothing between two hashed names), as well as an | stating there is nothing between two hashed names), as well as an | |||
| answer for leek.example.org, with the label count of the signature | answer for leek.example.org, with the label count of the signature | |||
| set to two (see [RFC7129], section 5.3 for more details). | set to two (see [RFC7129], section 5.3 for more details). | |||
| If the validating resolver gets a query for banana.example.org it | If the validating resolver gets a query for banana.example.org it | |||
| will once again go off and query the example.org servers for | will once again go off and query the example.org servers for | |||
| banana.example.org (even though it already has proof that there is a | banana.example.org (even though it already has proof that there is a | |||
| wildcard record) - just like above, this has privacy implications, | wildcard record) - just like above, this has privacy implications, | |||
| wastes resources, can be used to contribute to a DoS, etc. | wastes resources, can be used to contribute to a DoS, etc. | |||
| skipping to change at page 7, line 15 ¶ | skipping to change at page 7, line 15 ¶ | |||
| that name using the cached deduced wildcard. If the corresponding | that name using the cached deduced wildcard. If the corresponding | |||
| wildcard record is not in the cache, it MUST fall back to send the | wildcard record is not in the cache, it MUST fall back to send the | |||
| query to the authoritative DNS servers. | query to the authoritative DNS servers. | |||
| 5.4. Consideration on TTL | 5.4. Consideration on TTL | |||
| The TTL value of negative information is especially important, | The TTL value of negative information is especially important, | |||
| because newly added domain names cannot be used while the negative | because newly added domain names cannot be used while the negative | |||
| information is effective. | information is effective. | |||
| Section 5 of [RFC2308] states that the maximum number of negative | Section 5 of [RFC2308] suggests a maximum default negative cache TTL | |||
| cache TTL value is 3 hours (10800). It is RECOMMENDED that | value of 3 hours (10800). It is RECOMMENDED that validating | |||
| validating resolvers limit the maximum effective TTL value of | resolvers limit the maximum effective TTL value of negative responses | |||
| negative responses (NSEC/NSEC3 RRs) to this same value. | (NSEC/NSEC3 RRs) to this same value. | |||
| Section 5 of [RFC2308] also states that a negative cache entry TTL is | Section 5 of [RFC2308] also states that a negative cache entry TTL is | |||
| taken from the minimum of the SOA.MINIMUM field and SOA's TTL. This | taken from the minimum of the SOA.MINIMUM field and SOA's TTL. This | |||
| can be less than the TTL of an NSEC or NSEC3 record, since their TTL | can be less than the TTL of an NSEC or NSEC3 record, since their TTL | |||
| is equal to the SOA.MINIMUM field (see [RFC4035]section 2.3 and | is equal to the SOA.MINIMUM field (see [RFC4035]section 2.3 and | |||
| [RFC5155] section 3.) | [RFC5155] section 3.) | |||
| A resolver that supports aggressive use of NSEC and NSEC3 SHOULD | A resolver that supports aggressive use of NSEC and NSEC3 SHOULD | |||
| reduce the TTL of NSEC and NSEC3 records to match the SOA.MINIMUM | reduce the TTL of NSEC and NSEC3 records to match the SOA.MINIMUM | |||
| field in the authority section of a negative response, if SOA.MINIMUM | field in the authority section of a negative response, if SOA.MINIMUM | |||
| skipping to change at page 9, line 18 ¶ | skipping to change at page 9, line 18 ¶ | |||
| security problem. | security problem. | |||
| It is also suggested to limit the maximum TTL value of NSEC / NSEC3 | It is also suggested to limit the maximum TTL value of NSEC / NSEC3 | |||
| resource records in the negative cache to, for example, 10800 seconds | resource records in the negative cache to, for example, 10800 seconds | |||
| (3hrs), to mitigate this issue. | (3hrs), to mitigate this issue. | |||
| Although the TTL of NSEC/NSEC3 records is typically fairly short | Although the TTL of NSEC/NSEC3 records is typically fairly short | |||
| (minutes or hours), their RRSIG expiration time can be much further | (minutes or hours), their RRSIG expiration time can be much further | |||
| in the future (weeks). An attacker who is able to successfully spoof | in the future (weeks). An attacker who is able to successfully spoof | |||
| responses might poison a cache with old NSEC/NSEC3 records. If the | responses might poison a cache with old NSEC/NSEC3 records. If the | |||
| resolver is NOT making aggressive use of NSEC/NSEC3, the attacker has | resolver is not making aggressive use of NSEC/NSEC3, the attacker has | |||
| to repeat the attack for every query. If the resolver IS making | to repeat the attack for every query. If the resolver is making | |||
| aggressive use of NSEC/NSEC3, one successful attack would be able to | aggressive use of NSEC/NSEC3, one successful attack would be able to | |||
| suppress many queries for new names, up to the negative TTL. | suppress many queries for new names, up to the negative TTL. | |||
| 10. Implementation Status | 10. Implementation Status | |||
| [ Editor note: RFC Editor, please remove this entire section. | [ Editor note: RFC Editor, please remove this entire section. | |||
| RFC6982 says: "Since this information is necessarily time dependent, | RFC6982 says: "Since this information is necessarily time dependent, | |||
| it is inappropriate for inclusion in a published RFC." ] | it is inappropriate for inclusion in a published RFC." ] | |||
| Unbound currently implements aggressive negative caching, as does | Unbound currently implements aggressive negative caching, as does | |||
| skipping to change at page 9, line 45 ¶ | skipping to change at page 9, line 45 ¶ | |||
| and the Unbound developers. | and the Unbound developers. | |||
| Thanks to Mark Andrews for providing the helpful notes for | Thanks to Mark Andrews for providing the helpful notes for | |||
| implementors provided in Appendix B. | implementors provided in Appendix B. | |||
| The authors would like to specifically thank Stephane Bortzmeyer (for | The authors would like to specifically thank Stephane Bortzmeyer (for | |||
| standing next to and helping edit), Ralph Dolmans, Tony Finch, Tatuya | standing next to and helping edit), Ralph Dolmans, Tony Finch, Tatuya | |||
| JINMEI for extensive review and comments, and also Mark Andrews, | JINMEI for extensive review and comments, and also Mark Andrews, | |||
| Casey Deccio, Alexander Dupuy, Olafur Gudmundsson, Bob Harold, Shumon | Casey Deccio, Alexander Dupuy, Olafur Gudmundsson, Bob Harold, Shumon | |||
| Huque, John Levine, Pieter Lexis, Matthijs Mekking (who even sent | Huque, John Levine, Pieter Lexis, Matthijs Mekking (who even sent | |||
| pull requests!) and Ondrej Sury. Mark Andrews also provided the | pull requests!) and Ondrej Sury. | |||
| helpful notes for implementors (https://www.ietf.org/mail- | ||||
| archive/web/dnsop/current/msg18332.html) which we made into | ||||
| Appendix B. | ||||
| 11.1. Change History | 11.1. Change History | |||
| RFC Editor: Please remove this section prior to publication. | RFC Editor: Please remove this section prior to publication. | |||
| -08 to -09: | ||||
| o Made RFC5074 Informative (after discussions with chairs. | ||||
| o Addressed SecDir comments. | ||||
| o Addressed OpsDir comments. | ||||
| -06 to -08: | ||||
| o Largely editorial, but please see the diffs (editors forgot to | ||||
| update change log when editing, backfilling change log.) | ||||
| o Changed "replacement" text to be "DNSSEC enabled validating | ||||
| resolvers SHOULD use wildcards ..." to align with text in doc. | ||||
| o "A resolver that supports aggressive use of NSEC and NSEC3 SHOULD" | ||||
| (should -> SHOULD) - to align with rest of text. | ||||
| -05 to -06: | -05 to -06: | |||
| o Moved some dangling text around - when the examples were added | o Moved some dangling text around - when the examples were added | |||
| some text added in the wrong place. | some text added in the wrong place. | |||
| o There were some bits which mentioned "negative" in the title. | o There were some bits which mentioned "negative" in the title. | |||
| o We had the cut-and-paste of what changed in 4035 twice. | o We had the cut-and-paste of what changed in 4035 twice. | |||
| o Clarified that this also allows NODATA responses to be | o Clarified that this also allows NODATA responses to be | |||
| skipping to change at page 13, line 36 ¶ | skipping to change at page 13, line 41 ¶ | |||
| o Added "Partial implementation" | o Added "Partial implementation" | |||
| o Section 4,5,6 reorganized for better representation | o Section 4,5,6 reorganized for better representation | |||
| o Added NODATA answer in Section 4 | o Added NODATA answer in Section 4 | |||
| o Trivial updates | o Trivial updates | |||
| o Updated pseudo code | o Updated pseudo code | |||
| 11.2. new section | ||||
| 12. References | 12. References | |||
| 12.1. Normative References | 12.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | |||
| DOI 10.17487/RFC2119, March 1997, | RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS | |||
| NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, | |||
| <http://www.rfc-editor.org/info/rfc2308>. | <http://www.rfc-editor.org/info/rfc2308>. | |||
| [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. | |||
| Rose, "Protocol Modifications for the DNS Security | Rose, "Protocol Modifications for the DNS Security | |||
| Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, | |||
| <http://www.rfc-editor.org/info/rfc4035>. | <http://www.rfc-editor.org/info/rfc4035>. | |||
| [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name | [RFC4592] Lewis, E., "The Role of Wildcards in the Domain Name | |||
| System", RFC 4592, DOI 10.17487/RFC4592, July 2006, | System", RFC 4592, DOI 10.17487/RFC4592, July 2006, | |||
| <http://www.rfc-editor.org/info/rfc4592>. | <http://www.rfc-editor.org/info/rfc4592>. | |||
| [RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074, | ||||
| DOI 10.17487/RFC5074, November 2007, | ||||
| <http://www.rfc-editor.org/info/rfc5074>. | ||||
| [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | |||
| Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
| Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
| <http://www.rfc-editor.org/info/rfc5155>. | <http://www.rfc-editor.org/info/rfc5155>. | |||
| [RFC7129] Gieben, R. and W. Mekking, "Authenticated Denial of | [RFC7129] Gieben, R. and W. Mekking, "Authenticated Denial of | |||
| Existence in the DNS", RFC 7129, DOI 10.17487/RFC7129, | Existence in the DNS", RFC 7129, DOI 10.17487/RFC7129, | |||
| February 2014, <http://www.rfc-editor.org/info/rfc7129>. | February 2014, <http://www.rfc-editor.org/info/rfc7129>. | |||
| [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | [RFC7719] Hoffman, P., Sullivan, A., and K. Fujiwara, "DNS | |||
| skipping to change at page 14, line 39 ¶ | skipping to change at page 14, line 39 ¶ | |||
| 2015, <http://www.rfc-editor.org/info/rfc7719>. | 2015, <http://www.rfc-editor.org/info/rfc7719>. | |||
| 12.2. Informative References | 12.2. Informative References | |||
| [I-D.vixie-dnsext-resimprove] | [I-D.vixie-dnsext-resimprove] | |||
| Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS | Vixie, P., Joffe, R., and F. Neves, "Improvements to DNS | |||
| Resolvers for Resiliency, Robustness, and Responsiveness", | Resolvers for Resiliency, Robustness, and Responsiveness", | |||
| draft-vixie-dnsext-resimprove-00 (work in progress), June | draft-vixie-dnsext-resimprove-00 (work in progress), June | |||
| 2010. | 2010. | |||
| [RFC5074] Weiler, S., "DNSSEC Lookaside Validation (DLV)", RFC 5074, | ||||
| DOI 10.17487/RFC5074, November 2007, | ||||
| <http://www.rfc-editor.org/info/rfc5074>. | ||||
| [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is | [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is | |||
| Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020, | Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020, | |||
| November 2016, <http://www.rfc-editor.org/info/rfc8020>. | November 2016, <http://www.rfc-editor.org/info/rfc8020>. | |||
| [root-servers.org] | [root-servers.org] | |||
| IANA, "Root Server Technical Operations Assn", | IANA, "Root Server Technical Operations Assn", | |||
| <http://www.root-servers.org/>. | <http://www.root-servers.org/>. | |||
| Appendix A. Detailed implementation notes | Appendix A. Detailed implementation notes | |||
| End of changes. 18 change blocks. | ||||
| 37 lines changed or deleted | 50 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||